many: introduce a tool to sign assertions

[pedronis]

The branch introduces a tool to sign assertions in the form of stand-alone snap-assert executable,
I think once we understand the needs better it may be moved to a snap subcommand if that is what makes sense. It is mainly intended to be used by other tools (snapcraft, model-creator etc.)

The tool piggy backs to a local GPG setup for signing (through a GPGKeypairManager), and allows to give the input for the assertion as either YAML or JSON, and as flat header values (if the assertion doesn't have a body) or specifying headers and body if not.

Private keys can be identified by long key id or using an account-key assertion as a opaque handle.

Here is a walk through for it:

http://pastebin.ubuntu.com/17367550/

Still to-do:

• testing of snap-asserts (either unit tests or with spread?)

[atomatt]

It would be nice to mention GNUPGHOME works here too.

[atomatt]

s/lets specify/specifies

[atomatt]

[optional] it might be nicer to group these fields with one doc comment.

[atomatt]

Maybe group StatementMediaType and Statement with one doc comment too?

[atomatt]

The more I see "content-body" the less I like it. I suspect it will never be called "content-body", so I would rename it to "body" now (the sensible choice ;)) in the hope it never needs to be renamed.

[atomatt]

remove this blank line so it's more obvious it applies to the func?

[atomatt]

The "AndRevision" part of this (and TestSignKeyIDNestedJSONWithBodyAndRevision below) feels like it should be a separate test, e.g. TestRequestRevisionOverridesHeaderReevision or similar.

[pedronis]

I made a separate test

[atomatt]

Is the "NestedYAML" part of the name relevant? It's seems like an implementation detail of the test to me.

[atomatt]

Might be nice to mention that it overrides anything in the statement.

[pedronis]

it's a bit true for the lot of them, I think we'll want some actual document about this at some point soon

[atomatt]

+1, thanks for the changes

[edit] I've been using this quite a bit over the last few hours to generate account-key and account asserts, signed by keys in a local gnupg keyring. It's nice to use and works really well :)

[kyrofa]

s/strigify/stringify/

[kyrofa]

This seems fairly straight-forward, though regarding the usage within snapcraft it would probably be best to have @sergiusens take a look-- he'll have a better idea of how he's planning on using it.

[sergiusens]

What component has to handle the wizard for setting up? Is the user facing side of this only ever going to be snapcraft?

[sergiusens]

Hm, it seems the model create, snapcraft and probably others to come will use this. It makes sense to do the gpg setup in a central location as well (snap-assert init which other tools can call to be certain the same gpg store is used when using multiple tools).

[pedronis]

@sergiusens setting up is a bit of a complex thing and also orthogonal and is mostly a UX problem, but has nothing that is quite specific to the assert library, you should look at Celso's "RFC: User-signed assertions" thread for some sense of the problems there

[atomatt]

"The" should be lower case here, and "statement" should be title case I think.

[atomatt]

It would be nice to make this one line, like the other paragraphs in the file.

[atomatt]

Maybe something like, "The signer identifier (the authority-id header value in the resulting assertion) can be specified with --authority-id together with --key-id to select the GnuPG key by long key id.", to better explain the two go together?

And I think s/account key assertion/account-key assertion.

[atomatt]

I sort-of see what you mean by "For clarity" here, but it feels a bit redundant. I also find the rest a little bit hard to read. What about something like:

"The type of assertion to create must be given as the first positional argument on the command line, followed by an optional input file called here the statement. If the statement is omitted or - is passed stdin will be used."

[atomatt]

Maybe change "without body" to "without a body" or "with no body"?

[atomatt]

I think I would change the start of this to:

"In the end, assertion header values will be text but, abstractly, the value of some headers have specific simple types. In these cases, it is possible ..."

[atomatt]

lgtm, +1. I added a few suggestions to try to improve the long form doc.

[atomatt]

sorry, should have pointed this out more explicitly ... s/abstractely/abstractly

[niemeyer]

I'm picking this point to comment because it's a good example to highlight, but this is not specific to it: the initial gut reaction while reading this is that the tool is quite loose, with excessive flexibility and fiddling. This is not a good property for something dealing with assertions and signatures.

This ought to be much more tight: take a set of key/value pairs, and that's it. Fields are either there, with their proper names, or they're not. The body will need special handling, but that's trivial to get right by simply saying we have a "body" field, which we should never have as an actual header anyway as it would be very confusing.

That means this interface ends up looking a lot like Database.Sign, which is a good indication and makes me wonder if we need this package at all. Let's see how much we can take out of it.

[niemeyer]

Checks above should be redundant with logic inside Database.Sign.

[pedronis]

they all are, it's mostly about failing errors/having more contextual messages

[niemeyer]

If the error message is not good, let's fix it, and drop the redundancy. We have exactly the same context inside and outside, after all they're both specifically designed for this job.

[niemeyer]

Checks above also ought to be done by Database.Sign, and per our conversation today we shouldn't ask the user for the account key, but should rather have it at hand in our database (fetching it if necessary, at some point).

[pedronis]

as I said we need to decide what is "our" database here

[niemeyer]

This doesn't look very controversial. Let me know what you need a decision upon more specifically.

[niemeyer]

Also a job for Database.Sign.

[pedronis]

it does, again @emgee asked for earlier more contextual error

[niemeyer]

If the error message is not good, let's fix it, and drop the redundancy. We have exactly the same context inside and outside, after all they're both specifically designed for this job.

[niemeyer]

Very concerned about this one. Sounds completely obvious and innocent, yet it's implicitly defining critical properties about the format of headers. Back then we've constrained the headers to map[string]string precisely so we could not worry by consciously keeping it to a minimal set of types until a further time. This one function is now opening up to nested structures with no discussion about how structured documents should be put in place.

My suggestion is this: to avoid the discussion today, let's keep the tool as taking a map[string]string type. Then, on a follow up let's open the header format itself to be map[string]interface{}, and let's design how structured documents look like both in memory and when serialized.

[pedronis]

happy to drop this, again any changes to asserts need to fit in the roadmap

[niemeyer]

Of course, it's always a fine dance. Most of my recommendations here go towards simplification.

[niemeyer]

"true" and "false" are the default terms in Go, Python, Javascript/JSON, etc, so I wouldn't do yes/no.

[pedronis]

that's what the design document uses for flag though

[niemeyer]

Glad we're catching that now. Let's try to fix it in the sprint.

[niemeyer]

Uh.. let's please consider this by itself rather than inside the signing tool.

[niemeyer]

For the reasons we discussed today, this should probably be inside the "snap" tool itself, as it will talk to snapd for ensuring the content signed is reasonable. "snap sign" sounds nice (even despite that). Then, per above points, let's please simplify its interface to be a bit more tight.

As a strawman, how about cat input.yaml | snap sign, where the input looks like

type: ...
authority-id: ...
...
revision: ...
body:

We don't have to worry about JSON for now.

With that, we can just decode into a map[string]string, take "body" out, and hand onto Database.Sign using the data we can learn directly from it (assertion type, etc).

[pedronis]

I have mixed feelings about exposing as a top command a tool that needs a working gpg setup and maybe snapcraft interactions (to register keys) to work

[pedronis]

the new direction needs a clearer idea about the flow to enable keys so closing for now